OpenSSH is OpenBSD's SSH (Secure SHell) protocol implementation. SSHreplaces rlogin and rsh, and provides secure encrypted communicationsbetween two untrusted hosts over an insecure network. X11 connectionsand arbitrary TCP/IP ports can also be forwarded over a secure channel.Public key authentication can be used for "passwordless" access toservers.

A bug was found in the way the OpenSSH server handled the MaxStartupsand LoginGraceTime configuration variables. A malicious user couldconnect to the SSH daemon in such a way that it would prevent additionallogins from occuring until the malicious connections are closed. TheCommon Vulnerabilities and Exposures project (cve.mitre.org) hasassigned the name CVE-2004-2069 to this issue.

The scp command was found to expose filenames twice to shell expansion.A malicious user could execute arbitrary commands by using speciallycrafted filenames containing shell metacharacters or spaces. The CommonVulnerabilities and Exposures project (cve.mitre.org) has assigned thename CVE-2006-0225 to this issue.

Users of openssh should upgrade to these updated packages, which containbackported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs whichare not installed but included in the list will not be updated. Notethat you can also use wildcards (*.rpm) if your current directory *only*contains the desired RPMs.

Please note that this update is also available via yum and apt. Manypeople find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in theappropriate RPMs being upgraded on your system. This assumes that youhave yum or apt-get configured for obtaining Fedora Legacy content.Please visit http://www.fedoralegacy.org/docs for directions on how toconfigure yum and apt-get.